TeaBot Banking Trojan Steals SMS and Login Credentials

By Ava McKinneyOnline Safety

TeaBot Banking Trojan Steals SMS and Login Credentials

Security experts at Cleafy have discovered an Android malware called TeaBot (also known as Anatsa), which steals user credentials and intercepts SMS messages to steal funds from bank accounts in Spain, Germany, Italy, Belgium, and the Netherlands.

According to researchers, the banking trojan is still in the early stages of development. While the first signs of its activity appeared back in January, attacks on financial applications have only been observed since the end of March 2021. At the beginning of this month, a major wave of infections was detected among banking users in Belgium and the Netherlands.

“The main goal of TeaBot is to steal victims’ credentials and SMS messages in order to commit fraud against a predefined list of banks. After successfully installing TeaBot on a device, attackers can get a live stream of the device’s screen (on request) and interact with it through Accessibility Services,” the experts report.

The malware typically disguises itself as various multimedia services and delivery apps, including TeaTV, VLC Media Player, DHL, and UPS. The app acts as a dropper, not only downloading a second-stage payload but also forcing the victim to grant all necessary permissions to the malware.

Once it gains access to Accessibility Services, criminals can intercept keystrokes, take screenshots, and inject malicious overlays on top of legitimate banking app login screens (to steal credentials and bank card data). In addition, TeaBot can disable Google Play Protect, intercept SMS messages, and capture 2FA codes from Google Authenticator. The collected information is sent to a remote server controlled by the attackers every 10 seconds.

How to Protect Yourself

  • Only download apps from trusted sources like the Google Play Store.
  • Be cautious of apps requesting extensive permissions, especially Accessibility Services.
  • Keep your device’s security software up to date.
  • Regularly monitor your bank accounts for suspicious activity.

Stay vigilant and protect your personal and financial information from emerging threats like TeaBot.

Leave a Reply